Understanding GDPR
If you have never heard of GDPR OR if you have… but don’t quite understand what it means for you and your childcare business then you need to read this!
General Data Protection Regulation or GDPR came into force on 28th May 2018, a new law replacing the UK Data Protection Act 1998 and applying to ALL businesses from large organisations to small partnerships and sole traders…including childminders!
The purpose of the new law is to provide greater protection and control of personal data for individuals at a time when advances in technology has created a world where personal information may be easily accessed and shared. Whilst this can be advantageous in many circumstances, it can also become dangerous if information falls into the wrong hands.
As a childcare provider, you will collect and process personal and often sensitive information about the children and families you provide care for. Legally you must therefore abide by this new law or risk monetary penalties or even prosecution for non-compliance.
Whilst there is lots of information on the internet, reading through GDPR legislation can be overwhelming and it can be very confusing to work out what you actually need to do.
Cover the essentials in 9 easy steps…
1. Register with the Information Commissioners Office (ICO)
The ICO is the UK’s independent authority set up to uphold information rights in the public interest and are responsible for regulating GDPR compliance. As a childcare provider you collect information about the children and families you provide care for and are therefore considered a data controller.
An annual fee is required for registration (£35 if you choose to pay by direct debit or £40 if you wish to use another method of payment. Find further information and register on the ICO website here.
2. Check what information you collect
Think about the methods you use to collect information about children, families and any staff or assistants you employ and the type of data you collect. GDPR requires you to identify a lawful basis for processing all personal data, in other words, you should only be collecting information that you need to know in order to carry out your responsibilities as a childcare provider. There are several lawful basis that you can use which you can read more about in our FREE GDPR Guide however, the main principle is that you should only be asking for information that you require in order to fulfil your duties and legal requirements. If you are asking for additional information for example questions about religion or ethnic origin on your registration forms then you need to make clear your reasons for requesting this information and that providing this information is optional.
Find our template Care Plans / Registration Forms in the Care Plans & Consents Pack.
3. Ensure all personal information is stored SECURELY
Any items containing personal or sensitive data whether it be for a child, family or staff member must be stored safely and securely. Paper documents can be stored in a lockable file box, filing cabinet or cupboard when not in use and any information saved on a computer or other electronic device (e.g. electronic forms, emails, photographs, videos, etc) should be secured with a password and virus protection. Be careful not to leave anything lying around and ensure any staff or assistants are aware of your data storage procedures.
4. Check it is okay to take Photographs or to Share Information
It is important to remember that GDPR is all about giving individuals more rights and control over what data is collected and processed about them. You need to be very careful when it comes to certain forms of data, for example photographs or videos and also in circumstances where information is to be shared with others.
Always be clear with parents who information will be shared with and seek consent to take photos or videos of children. Make it clear how you intend to use this information and ask parents to sign a data sharing agreement if information is to be shared with any third parties for example with a health visitor, another childcare provider or nursery. Only in exceptional circumstances such as an emergency or where you have safeguarding concerns should you share personal details without seeking consent.
Find template Photograph Permission and Data Sharing Agreement forms in the Care Plans & Consents Pack.
5. Review your Consent Forms
Under the new regulation, consent requests must be clear, concise and easy to understand in order to give people genuine control over how their data is used. Pre-ticked opt in boxes or any other method of default consent can no longer be used as these are not indications of valid consent.
In addition to this, the new law makes clear that individuals have the right to withdraw their consent at any time so it is really important to consider which activities and circumstances you seek formal consent for. For example, it is necessary to ask for permission to administer medication or take photographs but for other activities, such as routine outings or transporting in a car, it may be enough to explain clearly your procedures and invite parents to share any preferences or concerns. Should a parent suddenly withdraw their consent to transport their child, this could have major implications on how you manage your daily schedule and maintain routine for other children.
Refer to the Care Plans & Consents Pack for template forms.
6. Clearly Communicate your Data Handling Procedures
GDPR requires you to explain clearly to parents, staff and service users why and how you collect, process, share, store, retain and eventually destroy data. Put together a Privacy Notice and Retention Policy to explain in detail the procedures you follow in your service to ensure the confidentiality and security of data. If you employ staff or assistance, you will need to ensure that they understand the importance of data management procedures and receive appropriate training.
Find templates within the GDPR Toolkit or the Policies & Procedures Pack.
7. Be ready to respond to Information Requests
Under GDPR, all data subjects (children, parents, assistants or members of staff) have the right to request access to information that you hold about them. You must be extremely careful however to always check the identity and rights of the individual requesting data before sharing anything. You must also check whether there are any to legal or regulatory restrictions that will prevent you from being able to carry out their request. GDPR requires you to respond to any requests for information within one month so it is extremely important that you use a structured system to store and manage data so that you can find all of the relevant documents if required.
Refer to the GDPR Toolkit for resources to further assist with Subject Access Requests.
8. Regularly Review, Update and ERASE data
It is important that you take the time regularly review the information that you hold, request parents to check and update any details and erase or pass on any records that you no longer require, for example you may wish to send home with children daily diaries once they are full or photographs that are no longer needed. You should have clear procedures to follow at the end of a childcare arrangement and explain to parents in your Retention Policy why you must legally retain certain records, for example any safeguarding or financial records in order to fulfil your legal obligations.
Find Data Inventory and Information Asset Registers in the GDPR Toolkit to assist with keeping accurate records and refer to the Contract Termination Letters to assist with data management at the end of a childcare arrangement.
9. Know what to do in the event of a Data Breach
In the unfortunate event of a data breach (i.e. when personal or sensitive information has fallen into the wrong hands or been accessed without consent) you must carry out a full investigation as to what has happened, put any necessary measures in place to minimise further impact and notify the Information Commissioner’s Office (ICO) within 72 hours. Any individuals concerned must also be notified without delay and kept informed of investigation procedures.
You will need to complete a Data Breach Record detailing what has happened, what information was exposed, the individuals involved and when they and the ICO were notified.
Find a Data Breach Form in the GDPR ToolKit.